malwarewikiaorg-20200223-history
Executioner (Ransomware)
This article is about the ransomware. For the DOS virus, see Executioner. Executioner is a ransomware that is based on EDA2, a ransomware building kit that was open-sourced and published on GitHub in late 2015. Payload Once the user launches the ransomware's EXE file into execution, the ransomware will look to encrypt the following file types: .txt, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .odt, jpeg, .png, .csv, .sql, .mdb, .sln, .php, .asp, .aspx, .html, .xml, .psd, .sql, .mp4, .7z, .rar, .m4a, .wma, .avi, .wmv, .csv, .d3dbsp, .zip, .sie, .sum, .ibank, .t13, .t12, .qdf, .gdb, .tax, .pkpass, .bc6, .bc7, .bkp, .qic, .bkf, .sidn, .sidd, .mddata, .itl, .itdb, .icxs, .hvpl, .hplg, .hkdb, .mdbackup, .syncdb, .gho, .cas, .svg, .map, .wmo, .itm, .sb, .fos, .mov, .vdf, .ztmp, .sis, .sid, .ncf, .menu, .layout, .dmp, .blob, .esm, .vcf, .vtf, .dazip, .fpk, .mlx, .kf, .iwd, .vpk, .tor, .psk, .rim, .w3x, .fsh, .ntl, .arch00, .lvl, .snx, .cfr, .ff, .vpp_pc, .lrf, .m2, .mcmeta, .vfs0, .mpqge, .kdb, .db0, .dba, .rofl, .hkx, .bar, .upk, .das, .iwi, .litemod, .asset, .forge, .ltx, .bsa, .apk, .re4, .sav, .lbf, .slm, .bik, .epk, .rgss3a, .pak, .big, wallet, .wotreplay, .xxx, .desc, .py, .m3u, .flv, .js, .css, .rb, .p7c, .pk7, .p7b, .p12, .pfx, .pem, .crt, .cer, .der, .x3f, .srw, .pef, .ptx, .r3d, .rw2, .rwl, .raw, .raf, .orf, .nrw, .mrwref, .mef, .erf, .kdc, .dcr, .cr2, .crw, .bay, .sr2, .srf, .arw, .3fr, .dng, .jpe, .jpg, .cdr, .indd, .ai, .eps, .pdf, .pdd, .dbf, .mdf, .wb2, .rtf, .wpd, .dxg, .xf, .dwg, .pst, .accdb, .mdb, .pptm, .pptx, .ppt, .xlk, .xlsb, .xlsm, .xlsx, .xls, .wps, .docm, .docx, .doc, .odb, .odc, .odm, .odp, .ods, .odt, .png, .jpg, .rtf, .mpg, .mp3, .png Files that have been encrypted will have their names appended with a random six-character alphanumeric extension. The encryption routine skips files located in the following folders: Windows Program Files Program Files (x86) Once the file encryption process ends, the ransomware will download the following image from the Imgim.com image hosting service and set it as the user's desktop wallpaper. Additionally, the ransomware also drops the following ransom note on the user's desktop. The file is named Sifre_Coz_Talimat.html, which is Turkish for "Instructions for password" (approximate translation). The ransom note reads: Oops all of your files Are safely Encrypted!!! " Please Visit any links that given below to read the instructions and learn how to Decrypt Your Files!! https://execut2bp3arv6er.onion.rip/ https://executcoe6vxnsw7.onion.rip/ https://execu4d2wasjip5x.onion.rip/ ------------------------------------------------------------------------- ----------------------- IF IT DOESN'T WORK TRY THIS!! https://execut2bp3arv6er.onion.cab/ https://executcoe6vxnsw7.onion.cab/ https://execu4d2wasjip5x.onion.cab/ ------------------------------------------------------------------------- ----------------------- IF IT DOESN'T WORK AGAIN THEN TRY THIS!! 1. Download 'Tor Browser' from https://www.torproject.org/ and install it.! 2. OPEN ANY LINK THAT GIVEN BELOW!!! execut2bp3arv6er.onion executcoe6vxnsw7.onion execu4d2wasjip5x.onion ------------------------------------------------------------------------- ----------------------- YOUR COMPUTER ID TEST ------------------------------------------------------------------------- ----------------------- Tum Dosyalariniz Guvenle Sifrelenmistir! " Lutfen asagida verilen linklerden birini ziyaret ederek dosyalarinizi kurtarmak icin TALIMATLARI OKUYUNUZ!!! https://execut2bp3arv6er.onion.rip/ https://executcoe6vxnsw7.onion.rip/ https://execu4d2wasjip5x.onion.rip/ ------------------------------------------------------------------------- ----------------------- EGER CALISMAZ ISE ASAGIDA VERILEN LINKLERDEN BIRINE GIRINIZ! https://execut2bp3arv6er.onion.cab/ https://executcoe6vxnsw7.onion.cab/ https://execu4d2wasjip5x.onion.cab/ ------------------------------------------------------------------------- ----------------------- EGER YUKARIDAKI VERILEN METHOD OLMADIYSA ASAGIDAKI METHODU DENEYINIZ!!! 1. 'Tor Browser'u https://www.torproject.org/ sitesinden indirip kurunuz ! 2. ASAGIDA BULUNAN LINKLERDEN BIRTANESINE GIRINIZ!!!! execut2bp3arv6er.onion executcoe6vxnsw7.onion execu4d2wasjip5x.onion ------------------------------------------------------------------------- ----------------------- KIMLIK NUMARANIZ TEST ------------------------------------------------------------------------- ----------------------- EXECUTIONER RANSOMWARE desktop-wallpaper.jpg The ransom note asks users to visit a Dark Web portal where they will receive more instructions. This Dark Web ransom payment portal is available in Turkish and English, supporting a claim that the author of this ransomware is of Turkish origin. Furthermore, this portal runs on a modified version of the EDA2 backend panel. The ransomware doesn't use a C&C server but sends information about infected computers via email to an inbox under the attacker's control. Executioner will collect data such as the computer name, username, IP address, and decryption key and send it as an email from "executioner.ransom@bk.ru" to "executioner.ransom@protonmail.com." Category:Ransomware Category:Win32 ransomware Category:Win32 Category:Microsoft Windows Category:Trojan Category:Win32 trojan